The present invention relates to the field of and Web service security.
Many organizations depend on Web-based software (e.g., Web application) to run their business processes, conduct transactions, and deliver increasingly sophisticated services to customers. Every Web application (e.g., Web service) destined for online deployment frequently addresses security issues as an integral part of the software delivery process. Unfortunately, in the race to meet deadlines and stay ahead of the competition, many businesses fail to perform adequate security testing. This often results in vulnerabilities providing ample opportunity for unauthorized users to access or steal corporate and/or personal data. That is, security flaws within Web services can place employees and the business at risk. The most efficient way to stay ahead of application security vulnerabilities is to build software securely, from the ground up.
The business logic carried out by components of Web services often places restrictions on users of that component. For example, if a Web service is used for alcohol sale, then the age of the user should be verified to decide whether that person is eligible for service. A recent solution to this problem is an approach which utilizes “claims-based authorization”. Claims-based authorization specifies processes for validating relevant details about the user (e.g., age) of the Web component. The Web service defines a set of criteria (e.g., age) that the user must satisfy, which is known as the claim set. For each criterion in this set, there is an entity the Web service trusts, which can provide information about the user with respect to that criterion. This entity is referred to as the token issuer, where the token holds the information the Web service can use to authenticate the user. To authorize a user, the Web service can request a suitable set of tokens (e.g., Security Assertion Markup Language tokens), where each token contains a certain claim set. The Web service can inspect the information stored inside the tokens, and based on results of the inspection can decide to serve the user.
Testing authorization logic carried out by a Web service which uses claims-based authorization can be challenging. One hurdle to testing authorization logic is that the range of values corresponding to each claim can be unbounded. For example, the claim can assume string values corresponding to names or allowed actions. Thus, testing a Web service using simple enumeration of all the possible values for all the relevant claims can be time consuming, resource intensive and error prone. That is, “brute force” testing can be a non-viable strategy.